FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to setup reverse proxy for an SSO session bootstrap

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    3
    47
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joseantonio
      last edited by joseantonio

      I'm glad it's finally possible to bootstrap an SSO session manually as described here, nice!

      However, as part of the explanation on how to actually achieve it, there's a step that's not explained in detail, which is:

      "FusionAuth requires the access token to be in an Authorization header. Because browsers do not provide a way to set the Authorization header when browsing to a location, you’ll need to add the header using, for example, a reverse proxy.""

      I managed to make it work using nginx as the reverse proxy, I've published a gist to show how.
      Is this approach correct?

      The only thing that seems off is that after redirecting to oauth2/authorize, FusionAuth redirects to the redirect_uri provided, but includes an error about the response_type in the url (SSO session is correctly created though).

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @joseantonio
        last edited by

        @joseantonio said in How to setup reverse proxy for an SSO session bootstrap:

        here

        Thank you for sharing. What is the error that you are getting about the response_type?

        J 1 Reply Last reply Reply Quote 0
        • J
          joseantonio @mark.robustelli
          last edited by joseantonio

          @mark-robustelli

          This is the error shown in the url after oauth2/authorize redirects to redirect_uri:

          ?error=invalid_request&error_reason=missing_response_type&error_description=The+request+is+missing+a+required+parameter%3A+response_type

          At some point I used a combination of these two params in the oauth2/authorize endpoint to prevent it, is this safe to do or may it come with possible drawbacks?

          • response_type=code
          • response_mode=form_post

          Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post